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(54) THIe: APPARATUS FOR KEY DISTRIBUTION IN AN ENCRYPTION SYSTEM 



(57) Abstract 

An encryp&orVdecrypQoa apparatus enables encrypted communi- 
cation between two stations each incorporating such an apparatus. The 
apparatus is arranged when acting as tender to create (at 71) a mu- 
tual primitive from stored itams of data, to generate a random session 
key and encrypt the random session key (at 73) in accordance with the 
mutual primitive tot transmission of the encrypted session key to the 
recipient station. The sender apparatus further encrypts the main mes- 
sage (at 72) in accordance with the random session key for transmission 
of the encrypted message to the recipient station. The sender apparatus 
also stores a registration code and transmits tfrfc to the recipient station, 
where it is decoded (at 74) to recreate the mutual primitive from items 
of data stored at the recipient station. The recipient apparatus decrypts 
the encrypted session key (at 75), using the recreated mutual primitive, 
and then decrypts the main message (at 76) using the recreated random 
session key. 
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APPARATUS FOR KEY DISTRIBUTION IN AN ENCRYPTION SYSTEM 



The present invention relates to arrangements for the 
automatic encryption and decryption of electronically 
transmitted messages, particularly in the fields of telephcr.e, 
facsimile or computer data transmission for example. 
5 in general, for the purposes of encrypting 

transmissions, the message is encrypted in accordance with a 
selected key. In transmission networks, all key generating 
systems aim to avoid an exponential growth in the number of 
encryption keys needed to serve the network, as the number of 

10 stations increases. Thus, the number of encryption keys needed* 
is equal to N(N-l)/2, where N is the number of stations in the 
network. If there are 5 stations, the number of keys required 
(to provide a unique key for each pair of the network) is 5 x 
4/2 o io. However, if the number of stations grows to. say 

15 10Q0, the number of encryption keys reauire^j.3^0^4 2 ' 

Strong encryption depends upon a frequent change of the 
encryption key used for the transmission between each pair of, , 
stations: preferably the encryption key is changed for each 

20 transmission (or session). This then poses difficult problems .' 
for the dissemination or distribution of encryption Jceys in a V* 
large network of stations. 

One solution to this problem is to provide a key 
distribution centre (KDC) situated in the network, which by 

25 some means distributes encryption keys securely on an ad hoc 
basis to both the sender and recipient of each transmission. 
Clearly these encryption keys cannot be sent openly, so the 
system requires a second level of encryption. 

Another, and now generally favoured solution, is a 

30 system in which the problem of providing secret key 
distribution becomes irrelevant because recipient's keys are 
fixed and publicly known, so that it is only necessary for the 
sender to look up the recipient's public key (rather like 
looking up his telephone number) , after which security of 

35 transmission is safeguarded by the mathematical logic and 
algorithms used in the message encryption and decryption 
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processes. The outstanding contribution in this field is the 
system known as the RSA public key encryption system. 

In the RSA system, a secure and tamper-proof memory 
store holds data derived from two very large, secret prime 
5 numbers, the product of which is the so-called "public key". 
The RSA system uses this data for generating encryption keys 
to allow an independently-designed cypher to transmit 
information securely between a pair of stations. If the value 
of either prime number becomes known, all future transmitted 
10 messages are breakable (decypherable) . Like any other system 
using fixed keys, the RSA system is secured only by the 
physical difficulty of accessing the secret data and the * 
complexity of running trial-and-error attempts to break the 
key. 

15 In accordance with this invention, there is provided an 

encryption/decryption apparatus to -enable e/icrypted 
communication between two stations each incorporating such an 
apparatus, said apparatus being arranged to create a nAtual 
code from stored items of data, to generate a random session 

20 key and encrypt the random session key in accordance with the 
mutual code for transmission of the encrypted session key to 
a recipient station, to encrypt a main message in accordance 
with the random session key for transmission of the encrypted 
message to the recipient station, and to store a 'registration 

25 code for transmission to the recipient station to enable the 
recipient station to decode the registration code to thereby 
recreate said mutual code from items of data stored at the 
recipient station. 

In use the encryption/decryption apparatus at the 

30 sender station transmits the encrypted session key and the 
registration code as preliminary items of data (or headers) to 
the main message. . The encryption/decryption apparatus at the 
recipient station decodes the registration code to recreate the 
mutual code, using items of data stored at the recipient 

35 station: preferably these items of data include unique 
identity codes of the recipient station and also codes 
representing the addresses (e.g. telephone numbers) of the 
sender and recipient. The recipient encryption /decrypt ion 
apparatus is then able to decrypt the encrypted session key, 
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in accordance with its recreated mutual code, in order to 
recreate the random session key. The received encrypted main 
message can then be decrypted, using thi recreated random 
session key. 

5 At the sender, the items of data, from which the mutual 

code is created, preferably include unique identity codes of 
the sender station and also codes representing the addresses 
(e.g. telephone numbers) of the sender and recipient. 
Preferably at the sender, the mutual code is formed by an 

10 irreversible encryption: an irreversible encryption is 
achieved in that the encryption key is derived in part from the 
code to be encrypted - the original code cannot then be 
recreated from the encrypted code. 

Preferably the registration code is cr :ated and stored 

15 in the sender's encryption/decryption apparatus in an initial 
registration procedure, in which both sender and recipient make 
use of_ a predetermined key which is agreed in advance between 
the sender and recipient. Thus, preferably the sender 
apparatus creates the mutual code (as described above) and 

20 encrypts this using the agreed key to form a transfer key, 
which is transmitted to the recipient. The recipient apparatus 
is able to use the agreed key to decrypt the transfer key in 
order to recreate the mutual code. The recipient apparatus now 
encrypts the mutual code in accordance with a further key to 

25 create the registration code, which is transmitted back to the 
sender apparatus for storing in its memory: this further code, 
used by the recipient apparatus to encrypt the mutual code, 
preferably uses items of data stored by the recipient apparatus 
(e.g. including unique identity codes of the recipient and the 

30 addresses - e.g. telephone numbers - of both sender and 
recipient) . 

Preferably the agreed key s not stored at either 
sender or recipient, although if it. is stored, then after it 
has been used for the registration procedure, it is erased from 
35 memory at both sender and recipient stations. It will be noted 
that although the mutual code is independently created at both 
sender and recipient stations (firstly during registration and 
subsequently during each transmission) , it is not retained in 
memory. Likewise, the transfer key is not stored in either 
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sender or recipient apparatus, and the registration code is 
stored by the sender only. 

The registration, procedure is performed a first time to 
enable a first station, of a given pair of stations, to 
5 transmit to the second station of the pair, and must be 
performed a second time to enable the second station of the 
pair to transmit to the first. Thus each station will store 
a registration code enabling it to transmit in future to the 
other station of the pair: but before the station can transmit 
10 to any other station in the network, it must undertake a 
similar registration procedure with each such other station 
(preferably using a different agreed key in each case) . 

Embodiments of this invention will now be described by. 
way of examples only and with reference to the accompanying 
15 drawings, in which: 

FIGURE 1 is a schematic block diagram of an 
^ encrypting/decrypting unit included in or associated with each 
sender/recipient ntachrne; *• ?W 

FIGURE 2 is a flow diagram to explain the principles of 
20 a symmetric algorithm used to encrypt a message; 

FIGURE 3 is a similar flow diagram to explain the 
reverse algorithm used to decrypt an encrypted message; 

FIGURE 4 is a flow diagram to explain the irreversible 
encryption of a message; • * * 

25 FIGURE 5 is a flow diagram to explain the generation of 

a pseudo-random stream; 

FIGURE 6 is a flow diagram to explain the operation of 
encrypting/decrypting units at sender and recipient stations 
for the purposes of mutual registrations; 
30 FIGURE 7 is a flow diagram to explain the operation of 

the encrypting /decrypting units at sender and recipient 
stations for automatic, encrypted communication; 

FIGURE 8 is a flow diagram to explain the generation of 
a two-time key; and 
35 FIGURE 9 is a flow diagram to explain the operation of 

encrypting/decrypting units at the sender and recipient 
stations for the purposes of automatic registration; 

Referring to Figure 1, there is shown an 
encryption/decryption unit incorporated in or associated with 
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the transmitter/receiver machine at each station of a 
communications network. Each such unit comprises a power 
supply terminal 1 for use where power is not supplied by the 
host machine, an optional battery back-up 2 to maintain power 
5 to the unit's memory in the event of loss of mains power, first 
and second memory stores 3, 4 holding data programmed into the 
unit at manufacture, a memory store 5 holding data supplied by 
data sources in communication with the unit, and a memory store 
6 holding data programmed into the unit at installation and 

10 immediately prior to use. The unit further comprises a 
microprocessor 7 which runs a key management algorithm (KMA) , 
and a microprocessor 8 which runs a message encryption 
algorithm (MEA) , which may be a DES (data encryption standard) 
or other proprietary encryption algorithm. The unit also 

15 comprises a serial data port 9 for use when the unit is 
connected between a data terminal and a modem, and a parallel 
data port 1-0 for use when the unit is connected to a device for 
transmitting additional data. Control keys 11 include a power 
on/off switch and mode selection keys. Coloured display lights 

20 12 indicate power on/ off and the various modes selected by the 
selection keys 11. 

The key management algorithm (KMA) operates 
substantially as a stream cypher algorithm: the 

characteristics of a stream cypher will now be explained. 

25 stream cyphers are well-known in the encypherment art 

and spring from a principle first established by vigenere in 
the sixteenth century. In modern form, a pseudo-random stream 
is derived using a key from a plurality of smaller numbers, so- 
called primitives. A simple example of encypherment using a 

30 pseudo-random stream, and based on the 26 letters of the 
alphabet, illustrates the principle: 

Plain message: ENEMY ATTACK 

Pseudo-random stream 16 3 25 19 7 13 21 0 3 16 9 

The plain message is encyphered by adding the 
35 successive numbers of the stream to numbers representing the 
successive characters of the plain message (the latter numbers 
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being allocated on the basis of A = 0, B = l .... z = 25), 
giving in this case the encyphered message: 

UQDFFNOTDST 
Note for example that M = 12, so M + 19 = 31, and 31 - 
5 (25) +5, 5 = F. 

This message is decrypted by subtracting the successive 
numbers of the same pseudo-random stream from the numbers 
representing the successive characters of the encyphered 
message. The cypher is therefore symmetric, in that the same 
10 primitives are used to generate the same pseudo-random stream 
for encryption or decryption. 

Figures 2 and 3 schematically show the principles of 
the stream cypher used in the key management algorithm KMA by 
the processor 7. A plurality of primitives are derived from 
15 a variables A, B, C, D ... and used to form a pseudo-random 

stream PPPPP The variables A, B, C, D ... might include 

.a fax number, a 1*0 character string, even a short message, or 
the output of an earlier encryption procedurj^ Provided. *the 
values of the variables A, B, C, D . . remain unchanged and the 
20 algorithm is altered from "addition" (+1 i.e. encryption) to 
"subtraction" (-1 i.e. decryption), then whilst Figure 2 
provides an encyphered text 20 from a plaintext 21, Figure 3 
represents the inverse of Figure 2 and reforms the original 
plaintext 21 from the encyphered text 20. 
25 However, instead of the reversible mode illustrated by 

Figures 2 and 3, the key management algorithm may be used in 
an irreversible mode: that is to say, an encryption procedure 
can be performed, but the inverse procedure cannot logically 
occur. Thus, referring to Figure 4, one of the primitives for 
30 the pseudo-random stream is derived from a variable E which 
also forms the plain message to be encrypted: it is therefore 
impossible to recreate the plain message E; thus for 
decryption, the primitive derived from E is unknown and the 
pseudo-random stream cannot be formed, so that the encryption 
35 is irreversible. 

In accordance with this invention, it is necessary for 
the encryption/decryption units at the two stations to undergo 
a registration procedure to enable them subsequently to 
communicate with each other. The procedure in this 
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registration mode will now be described with reference to 
Figure 6. 

The registration procedure makes use of a 56-character 
randomly-generated secret code (Unique Identity String S) which 
5 has been programmed into the memory store 3 of the sender 
unit, and a 12-character randomly-generated code (Unique crypt 
String S) which has been programmed into the memory store 4. 
Primitives are derived from the sender's and recipient's 
addresses (ADS-S and ADS-R) and from the sender's Unique 

10 Identity String S and Unique Crypt String S, and a pseudo- 
random stream PPPP... is generated from these primitives. The 
Unique Crypt String S also forms the message which is now 
encrypted at 61 using the key management algorithm (KMA + 1) 
and, because the Unique Crypt String S is used both as the 

15 message and to derive one of the primitives, the encryption is 
irreversible: the output is termed here the Mutual Primitive. 
Next this Mutual Primitive is encrypted at 62 by a one-time key 
using the key management algorithm (KMA + 1) to form a Transfer 
key, which is then transmitted to the recipient station. 

20 The encryption/decryption unit at the recipient station 

now uses the one-time key and the key management algorithm 
(KMA-1) at 63 to decrypt the Transfer key and so re-create the 
Mutual Primitive. For this purpose, both sender and recipient 
must agree the fine-time key in advance, Vising a separate* 

25 communication medium: for example if the communication medium 
which is required to 1 be encyphered is facsimile, the one-time 
key may be agreed by means of a telephone conversation over a 
different telephone line, or through the postal service. 

Next the unit at the recipient station generates a 

30 pseudo-random stream from primitives derived from the 
recipient's and sender's addresses (ADS-R and ADS-S) and from 
its own Unique Identity String R and Unique Crypt String R: 
this stream is used at 64 to encrypt the Mutual Primitive, 
using the key management algorithm (KMA + 1) , to form a 

35 Registered Crypt String, which is then transmitted in plain to 
the sender station and stored in its memory store 5, along with 
the recipient's address, for use in future automatic 
communications between these particular two stations. 

The registrations process has stored the Registered 
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Crypt String in the sender's unit, and both stations will 
subsequently be able to recreate a mutual secret (the Mutual 
Primitive) to enable future automatic but encrypted 
communications between the two stations. The Mutual Primitive 
5 is not however stored in either sender or recipient unit, or 
if it is temporarily stored it is erased after its use in the 
registration procedure. The automatic communication mode will 
now be described with reference to Figure 7. 

The sender station creates the main message, which is 
10 to be encrypted at the sender unit, then to be transmitted in 
securely encrypted form to the recipient station, and to be 
decrypted at the recipient station to re-create the main 
message, in order to do this, the following steps are carried 
out. 

15 The sender unit re-creates the Mutual Primitive, using 

the key management algorithm (KMA + l) at 71 to encrypt the 
Unique Crypt String S using the pseudo-random stream generated 
by primitives derived (as previously) from the sender's and 
recipient's addresses (ADS-S and ADS-R) , the Unique Identity 

20 String S and the Unique Crypt String S. The sender's key 
management algorithm also at 72 creates a random session key, 
which is then used to encrypt the main message u^ing a message 
encryption algorithm (MEA + 1), to form the encrypted main 
message. **•* • . • 

25 The random session key is also encrypted by the Mutual 

Primitive at 73 using the key management algorithm (KMA -f 1) , 
to form the encrypted session key. The registered crypt string 
and the encrypted session key are transmitted, as headers to 
the encrypted main message, to the recipient station. 

30 The recipient station unit re-creates the pseudo-random 

stream from the primitives derived from the recipient's and 
sender's addresses (ADS-R and ADS-S) and the recipient's Unique 
Identity String R and Unique Crypt String R. This pseudo- 
random stream decrypts the registered crypt string at 74 using 

35 the key management algorithm (KMA-l), to re-create the Mutual 
Primitive. This re-created Mutual Primitive de-crypts the 
encrypted session key at 75, again using the key management 
algorithm, to-recreate the random session key at the recipient. 
The recipient unit now has the essential key (the random 
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session key) required to decrypt the main message, at 76. 

It will be appreciated that a fresh session key will be 
generated for each new transmission. Indeed, even within a 
given transmission (or session) , the session key can be changed 
5 periodically, e.g. after predetermined intervals of time or, 
in the case of a facsimile transmission, at the end of each 
page (or even at the end of each line) of a transmitted text. 

It will be appreciated that, in registration mode, 
double registration is required between each pair of stations, 

10 first one station acting as sender and the other as recipient 
and then these roles being exchanged, so that communication in 
either direction can be carried out subsequently. There is 
little sacrifice of security if the same one-time key is used 
for both registrations between the same pair of stations. 

15 In the case of managed networks, for example a network 

of branch offices of a bank, all potential users of the system 
are known a^: the time of installation of the network. ..^i ' 
these cases, preferably the encrypt ion/decryption • unit ^**m. 
arranged to enable an automatic registration procedure, 

20 eliminating the need for each pair of stations to devise and 
exchange one-way keys. This automatic registration operates 
as follows. 

A master version of the key management algorithm is .run' 
on a processor, e.g. a PC, which is separate from the network, 

25 and operates as shown in Figure 5 to produce a pseudo-random 
stream which is used to derive a two-time key for each pair of 
stations: the key is called a two-time key because it serves 
as a key for a two-way registration procedure between the 
relevant pair of stations. Figure 8 shows how the two-time key 

30 is created, namely by applying the key management algorithm at 
Bl to a pseudo-random stream based on a system primitive and 
primitives derived from the addresses of the two stations (ADS- 
S and ADS-R) . 

Memory store 6 of each encryption/decryption unit then 
3 5 stores a set of two-time keys, needed for registration of that 
unit with each of the other units in the network. For example 
in the case of a network of 1000 stations, the memory store 6 
of each encryption unit stores 999 two-time keys, each of six 
figures. 
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Automatic registration will now be further explained 
with reference to Figure 9: the similarity to Figure 6 will 
be noted and corresponding reference numerals are used. in 
automatic registration suppose one unit, acting as sender, 
5 wishes to register with another unit. The sender unit searches 
for the appropriate two-time key, and recognises three possible 
conditions. In the first condition, the relevant two-time key 
has not yet been used for registration: the two stations 
proceed with registration generally as set out in Figure 9, the 
10 registration thus enabling future transmission from the one 
unit to the other. In the second condition, the sender unit 
finds that the relevant two-time key has been used once before: 
the second registration is now performed, with the rdles of * 
sender and recipient being reversed. Now that the two-time key 
15 has been used twice, and therefore fulfilled its purposes, each 
of the pair of units erases the relevant two-time key frojp its 
memory store 6. in the third condition, the unit f inds -tfhat 
the relevant two-time key has &%y4£^°eeri used twice and 
erased from memory: the relevant pair of units will therefore 
20 proceed with automatic encyphered communication. 

It will be appreciated that the present invention 
avoids the need, which is common in prior art systems, for ah 
exchange to take place between sender and recipient, prior to 
-transmission of the encrypted message, *in* order thai the 
25 recipient will know the session key to be used. Thus, the 
invention involves a once-and-for-all registration procedure, 
which then holds good for all future transmissions but still 
different session keys are used at different times. In 
particular, all initiatives prior to a transmission involve the 
30 sender only: the sender's message is complete in itself and 
contains all the necessary information for the recipient to 
convert the message to plain. The only information which is 
required to be securely protected is a pair of unique 
identifiers (the unique identity string and the unique crypt 
35 string) , and in practice both these may be contained in a 
single string. All other information is either created afresh 
with each transmission (the mutual primitive) or has no secrecy 
value (the registered crypt string) . 
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claims 

1) An encryption/decryption apparatus to enable encrypted 

communication between two stations each incorporating such an 
apparatus, said apparatus being arranged to create a mutual 
5 code from stored items of data, to generate a random session 
key and encrypt the random session key in accordance with the 
mutual code for transmission of the encrypted session key to 
a recipient station, to encrypt a main message in accordance 
with the random session key for transmission of the encrypted 

10 message to the recipient station, and to store a registration 
code for transmission to the recipient station to enable the 
recipient station to decode the registration code to thereby 
recreate said mutual code from items of data stored at the 
recipient station, the apparatus being further arranged for 

15 creation and storage therein of said registration code in an 
initial registration procedure, in which the apparatus, acting 
as sender, is arranged to create the mutual code and encrypt 
this using a pre-agreed key to form a transfer key and- to 
transmit this to the recipient. 

20 2) An apparatus as claimed in claim 1, arranged, when^ 

^ acting as recipient in the registration procedure, to decrypt^ 

the received transfer key using the pre-agree key in order ^t o^ 

recreate the mutual code. 

3) An apparatus as claimed in claim 2, arranged, when 
25 acting as recipient in the registration procedure, to encrypt 

the recreated mutual code in accordance with a further key to 
create the registration code, and to transmit this registration 
code to the sender for storage therein. 

4) An encryption/decryption apparatus to enable encrypted 
30 communication between two stations each incorporating such an 

apparatus, said apparatus being arranged to create a mutual 
code from stored items of data, to generate a random session 
key and encrypt the random session key in accordance with the 
mutual code for transmission of the encrypted session key to 
35 a recipient station, to encrypt a main message in accordance 
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with the random session key for transmission of the encrypted 
message -to the recipient station, and to store a registration 
code for transmission to the recipient station to enable the 
recipient station to decode the registration code to thereby 
5 recreate said mutual code from items of data stored at the 
recipient station. 

5) An apparatus as claimed in claim 4, arranged, when 
acting as sender, to transmit the encrypted session key and 
registration code as items of data preliminary to the main 

10 message. 

6) An apparatus as claimed in claim 4 or 5, arranged, when 
acting as recipient, to decode the registration code to 
recreate the mutual code, using items of data stored in the 
apparatus . 

15 7) An apparatus as claimed in claim 6, arranged, when 

acting as recipient, to decrypt the encrypted session key, in 
accordance with its recreated mutual code, in order to recreate 
the random session key. 

8) An apparatus as claimed in any one of claims 4 tfl 7, 
20 arranged, when acting as senfleit/ to form the mutual code by an 

irreversible encryption. 

9) An apparatus as claimed in any one of claims 4 to 8, 
arranged for creation and storage therein of the registration 
code in an initial registration procedure, the apparatus, when 

25 acting as sender being arranged to create the mutual code and 
encrypt this using a pre-agreed key to form a transfer key and 
to transmit this to the recipient. 

10) An apparatus as claimed in claim 9, arranged when 
acting as recipient in the registration procedure, to decrypt 

30 the received transfer key using the pre-agreed key in order to 
recreate the mutual code. 

11) An apparatus as claimed in claim 10, arranged, when 
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acting as recipient in the registration procedure, to encrypt 
the recreated mutual code in accordance with a further key to 
create the registration code, and to transmit this registration 
code to the sender for storage therein. 
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